TOMOYO Linux A Lightweight and Manageable Security System for PC - - PowerPoint PPT Presentation

tomoyo linux
SMART_READER_LITE
LIVE PREVIEW

TOMOYO Linux A Lightweight and Manageable Security System for PC - - PowerPoint PPT Presentation

Feb 09, 2023 165 likes •655 views

CE Linux Forum Worldwide Embedded Linux Conference 2007 April 17-19, 2007 TOMOYO Linux A Lightweight and Manageable Security System for PC and Embedded Linux http://tomoyo.sourceforge.jp/ Toshiharu Harada Tetsuo Handa NTT DATA

slide-1
SLIDE 1

TOMOYO Linux

“A Lightweight and Manageable Security System for PC and Embedded Linux” http://tomoyo.sourceforge.jp/

Toshiharu Harada Tetsuo Handa NTT DATA CORPORATION http://www.nttdata.co.jp/en/index.html

CE Linux Forum Worldwide Embedded Linux Conference 2007 April 17-19, 2007

slide-2
SLIDE 2

Hello, world! Hello, world!

  • This is the very first presentation abroad for our work,

“TOMOYO Linux”.

  • TOMOYO Linux is a MAC (Mandatory Access Control)

implementation for Linux.

  • TOMOYO Linux consists of a set of patches for kernel

2.4/2.6 and a couple of administrative tools. It has been ported to various distributions.

  • TOMOYO Linux is available at http://tomoyo.sourceforge.jp/

under the GPL license.

  • You can browse&search the code at

http://tomoyo.sourceforge.jp/cgi-bin/lxr/source

2007-04-18 NTT DATA CORPORATION 2

slide-3
SLIDE 3

About NTT DATA About NTT DATA

  • http://www.nttdata.co.jp/en/index.html
  • One of the largest SI companies in Japan.

– Data

  • Established: May 23, 1988
  • Ordinary Income: 42,016 million yen
  • Number of Employees: 8,406
  • Common Stock: 142,520 million yen
  • Net Sales: 907,281 million yen
  • (see http://www.nttdata.co.jp/en/aboutus/a09.html for more detail)
  • TOMOYO Linux project:

– Launched March 2003. – Members: started from 2. currently 5. – Exceptionally small project in the largest company. :-)

2007-04-18 NTT DATA CORPORATION 3

slide-4
SLIDE 4

TOMOYO Linux: Background TOMOYO Linux: Background

  • Originated from NTT DATA CORPORATION R&D.
  • Project started in March 2003.
  • First public release in November 2005.
  • Ported to Debian Sarge/Etch, RedHat Linux 9,

Fedora Core 3-6, CentOS 4.4/5, OpenSUSE 10.1/10.2, Asianux 2.0, Ubuntu 6.10/7.04 and more (check the link below). – http://sourceforge.jp/projects/tomoyo/files/

  • Suits well to embedded systems.

2007-04-18 4 NTT DATA CORPORATION

slide-5
SLIDE 5

Topics Covered in This Session: Topics Covered in This Session:

  • Overview of TOMOYO Linux and MAC.
  • What TOMOYO Linux can do/can’t do.
  • Concepts.
  • Automatic policy configuring feature.
  • TOMOYO Linux policy.
  • How it works.
  • Short demonstration.
  • Comparison to other security enhanced OSs.

2007-04-18 NTT DATA CORPORATION 5

slide-6
SLIDE 6

Topics NOT Covered in This Session: Topics NOT Covered in This Session:

  • Whether name-based access control is evil or

not.

– It’s too technical and complex. – TOMOYO Linux will have a BOF session in the upcoming Ottawa Linux Symposium. Please join and help/save us!

  • In-depth demonstration.

– Will be shown in the following tutorial session, don’t miss it! Or please consider installing binary package yourself (10 minutes job).

  • http://tomoyo.sourceforge.jp/en/1.4/install.html

2007-04-18 NTT DATA CORPORATION 6

slide-7
SLIDE 7

Part 1

MAC and TOMOYO Linux Overview

2007-04-18 NTT DATA CORPORATION 7

slide-8
SLIDE 8

What is What is “ “MAC MAC” ”? ?

  • “Mandatory Access Control”

– No exceptions even for “root” users and no bypass. – Accesses are strictly judged according to the rules (called “policy”). – Traditional access control is referred as DAC (Discretionary Access Control).

  • Implementation.

– (1) “Hook” a request (e.g. system call). – (2) “Judge” whether to execute the request or not. – (3) “Process” the request. – 2.6 kernel has a built-in framework for hooks – LSM (Linux Security Modules).

2007-04-18 NTT DATA CORPORATION 8

slide-9
SLIDE 9

What is What is “ “hook hook” ”? ?

2007-04-18 NTT DATA CORPORATION 9

kernel application system call interface DAC (traditional access control) system call procedures

slide-10
SLIDE 10

What is What is “ “hook hook” ”? ?

2007-04-18 NTT DATA CORPORATION 10

kernel application system call interface DAC (traditional access control) MAC system call procedures hook “policy”

slide-11
SLIDE 11

What is What is “ “policy policy” ”? ?

  • DAC checks “rwx” attributes associated with
  • filesystem. (very simple)
  • MAC engine needs “rules” to make decision.
  • “Policy” is the name for the rules.

– MAC is useless without good policy.

  • No standard policy syntax exists (so far).
  • Policy is defined as a set of “conditions”.

– if (condition) then Access is (granted/denied).

2007-04-18 NTT DATA CORPORATION 11

slide-12
SLIDE 12

What is TOMOYO Linux? What is TOMOYO Linux?

  • “Lightweight” and “usable” Mandatory

Access Control for Linux, with

– “automatic policy configuring” feature. – administrators friendly policy language. – English documentation. – 2.4 kernel and BusyBox support. – no filesystem limitations (runs with any filesystem). – no need of libselinux nor userland program modifications.

2007-04-18 12 NTT DATA CORPORATION

slide-13
SLIDE 13

What is TOMOYO Linux? What is TOMOYO Linux?

  • TOMOYO Linux

– is not using LSM (Linux Security Modules) .

  • Some work is in progress.

– does not have MLS (Multi Level Security), RBAC (Role Based Access Control) mechanisms..

  • If you need MLS, use SELinux.
  • RBAC like usages are available.

– is not included in Linux kernel source.

  • yet

– can do unusual things and playing with TOMOYO Linux is so much fun. – is no guarantee. (use at your own risk, of course)

2007-04-18 13 NTT DATA CORPORATION

slide-14
SLIDE 14

What is What is “ “domain domain” ”? ?

  • Whether a request

is legal or not depends on the “context”.

  • Most MAC system

refers this context as “domain”.

  • “Domain” is a kind of

group/unit.

2007-04-18 NTT DATA CORPORATION 14

domain A domain B domain C domain D d

  • m

a i n E

/etc/shadow can be read if …

NTT DATA CORPORATION

slide-15
SLIDE 15

TOMOYO Linux Policy TOMOYO Linux Policy

  • Exceptionally simple. Any Linux/UNIX

users can read and write it.

15

<kernel> /usr/sbin/sshd /bin/bash /bin/csh 1 /bin/grep 1 /bin/sed 4 /dev/null 4 /etc/csh.cshrc 4 /etc/group 4 /etc/nsswitch.conf ・・・ 1 /usr/bin/[ 1 /usr/bin/dircolors 1 /usr/bin/id 1 /usr/bin/test /bin/csh process that was invoked from /bin/bash that was invoked from /usr/bin/sshd “<kernel>” is the virtual bottom mode path mode: 1 --x 2 –w- 4 r— 6 rw-

NTT DATA CORPORATION

is the current “domain”

2007-04-18

slide-16
SLIDE 16

SELinux Policy SELinux Policy

16 2007-04-18 NTT DATA CORPORATION From Japan Technical Jamboree 12.

“*.te”: access control definitions for “*”. “*.fc”: label definitions for “bind”. “fc” stands for “file context”. Policy is described in terms of label, not path name. (but label definition is described in terms of path names). Macros are introduced to make policy more readable. SELinux kernel needs policy to be compiled before use.

slide-17
SLIDE 17

AppArmor Policy AppArmor Policy

17 2007-04-18 NTT DATA CORPORATION

  • Above definition is applied to every instance of /usr/sbin/named

(No process invocation history mechanism exists with AppArmor).

  • In TOMOYO Linux, “<kernel> /foo /bar /usr/sbin/named” and

“<kernel> /boo /bar /baz /usr/sbin/named” is distinguished and treated independently.

  • SELinux simply cares about “label”.

From Japan Technical Jamboree 12.

slide-18
SLIDE 18

AppArmor Policy (cont.) AppArmor Policy (cont.)

  • Similarities with TOMOYO Linux:

– Both use “pathname based” definition.

  • Differences:

– TOMOYO Linux distinguishes domain by a process invocation history while AppArmor does by a single process. – TOMOYO Linux provides MAC for network and signals.

2007-04-18 NTT DATA CORPORATION 18

slide-19
SLIDE 19

Domains in TOMOYO Linux Domains in TOMOYO Linux

2007-04-18 NTT DATA CORPORATION 19

0 +- sshd (2859) <kernel> /usr/sbin/sshd 0 +- sshd (3807) <kernel> /usr/sbin/sshd 1 +- bash (3809) <kernel> /usr/sbin/sshd /bin/bash 2 +- ccstree (3942) <kernel> /usr/sbin/sshd /bin/bash /root/ccstools/ccstree

  • In TOMOYO Linux

– every process belongs to a domain. – every process remembers its ancestors. – ACL are controlled by the domain, not by a current process name.

  • Utility program, “ccstree”, prints out

domain information for running processes.

slide-20
SLIDE 20

TOMOYO Keeps Track of Process TOMOYO Keeps Track of Process Invocation History Invocation History

2007-04-18 NTT DATA CORPORATION 20

<kernel> /sbin/mingetty <kernel> /sbin/mingetty /bin/login <kernel> /sbin/mingetty /bin/login /bin/bash <kernel> /sbin/mingetty /bin/login /bin/bash /bin/ls

slide-21
SLIDE 21

A Slightly Complicated Example A Slightly Complicated Example

Suppose that you are logged-in into a ssh server and execute a man command: <kernel> /usr/sbin/sshd /bin/bash /usr/bin/man /bin/sh = current domain 1 /bin/gunzip 2 /dev/null 6 /dev/tty 4 /etc/mtab 1 /usr/bin/bzip2 1 /usr/bin/gtbl 1 /usr/bin/less 1 /usr/bin/nroff 2 /var/cache/man/cat1/pstree.1.bz2 allow_truncate /var/cache/man/cat1/pstree.1.bz2

2007-04-18 NTT DATA CORPORATION 21

1 2 3 4

slide-22
SLIDE 22

Automatic Policy Generation Automatic Policy Generation

  • How to use:
  • 1. Change “mode (explained later)” of TOMOYO

Linux kernel to “policy generation”.

  • 2. Just operate as you want.
  • 3. TOMOYO Linux generates the required access

control lists as policy.

  • 4. Check it and modify it.
  • 5. Done
  • Advantages

– Saves time enormously. – The resulting policy is quite “readable”.

2007-04-18 NTT DATA CORPORATION 22

slide-23
SLIDE 23

Demo Demo

2007-04-18 NTT DATA CORPORATION 23

slide-24
SLIDE 24

Automatic Policy Generation Automatic Policy Generation

  • How it works?

– TOMOYO kernel keeps track of:

  • access requests (by original hooks).
  • process invocation history (something like pstree
  • riginated from /sbin/init) – every process knows

its ancestors under TOMOYO Linux.

  • assigns each individual “process invocation

history” as a “domain”.

– ex. “<kernel> /sbin/init /etc/rc.d/rc /etc/rc.d/rc.local”

2007-04-18 NTT DATA CORPORATION 24

slide-25
SLIDE 25

Life with TOMOYO Linux Life with TOMOYO Linux

2007-04-18 NTT DATA CORPORATION 25

Hey boss, just got policy, please check.

apache t

  • m

c a t

  • Administrating TOMOYO Linux is easy and fun.

Thank you.

slide-26
SLIDE 26

Life with Other MAC Systems Life with Other MAC Systems

  • Why it’s not working?
  • Is it failure of my APP or my policy? How am I

suppose to find?

  • I’d rather disable it …

2007-04-18 NTT DATA CORPORATION 26

slide-27
SLIDE 27

SELinux FAQ says: SELinux FAQ says:

  • The security of an unmodified Linux system

depends on the correctness of the kernel, all the privileged applications, and each of their

  • configurations. A problem in any one of these

areas may allow the compromise of the entire system.

  • In contrast, the security of a modified system

based on the Security-enhanced Linux kernel depends primarily on the correctness of the kernel and its security policy configuration.

2007-04-18 NTT DATA CORPORATION 27

slide-28
SLIDE 28

Domain Transition Domain Transition

  • Handled by TOMOYO Linux kernel

automatically .

  • Domain simply gets deeper by default.
  • The name of a domain is like “<kernel>

/sbin/init …”.

– No administrator operation necessary. – No file context definition necessary. – No need of “xattr”.

2007-04-18 NTT DATA CORPORATION 28

slide-29
SLIDE 29

Domain Transition Domain Transition

2007-04-18 NTT DATA CORPORATION 29

/sbin/init <kernel> /sbin/init /etc/rc.d/rc.sysinit <kernel> /sbin/init /etc/rc.d/rc /etc/rc.d/rc.sysinit /etc/rc.d/rc <kernel> <kernel> /sbin/init <kernel> /sbin/init /etc/rc.d/rc ・・・ foo <kernel> /sbin/init /etc/rc.d/rc ・・・ foo bar foo bar

slide-30
SLIDE 30

Domains in SELinux Domains in SELinux

  • Domain names and domain transition

conditions must be defined beforehand.

  • Domains are flat and have no levels.

2007-04-18 NTT DATA CORPORATION 30

execve()

kernel_t init_t initrc_t

sshd_t

user_t

httpd_t sysadm_t

sysadm_t staff_t

slide-31
SLIDE 31

Mode Mode

  • SELinux

– has 3 modes.

  • disabled
  • permissive (it is “ok”, even if policy says “no”)
  • enforcing (if policy says “no”, it is “no”)

– Mode is system global in SELinux.

  • TOMOYO Linux

– 4 modes.

  • disabled
  • permissive
  • policy generation
  • enforcing

– Mode is selectable on a per domain basis.

2007-04-18 NTT DATA CORPORATION 31

disabled/permissive/ enforcing apache: enforcing sshd: enforcing man: disabled crond: permissive apache: generation sshd: generation man: disabled crond: generation

slide-32
SLIDE 32

Part 2

TOMOYO Linux for Embedded Systems

2007-04-18 NTT DATA CORPORATION 32

slide-33
SLIDE 33

MAC for Embedded Systems MAC for Embedded Systems

  • Embedded systems need security, too.
  • Resource issues:

– SELinux need “xattr” aware filesystems. – Tight requirements for memory and CPU.

  • BusyBox issue:

– Sharing a binary image is good for saving storage, but sharing “context” can harm MAC. – BusyBox has incorporated SELinux supports recently. – TOMOYO Linux has built-in support for BusyBox.

2007-04-18 NTT DATA CORPORATION 33

slide-34
SLIDE 34

Affinity with Embedded Linux Affinity with Embedded Linux

  • Small memory footprint.

– 100KB for kernel code and data. – A few hundred KB for policy.

  • Targeted Protection.

– You can protect selectively.

  • Small performance impact.

– No checks for read()/write() system calls.

2007-04-16 2007-04-18 NTT DATA CORPORATION 34 34 NTT DATA CORPORATION

slide-35
SLIDE 35

Affinity with Embedded Linux Affinity with Embedded Linux

  • Program invocation via symbolic link.

– “alias /bin/bash /bin/sh” will allow you to distinguish /bin/bash and /bin/sh .

  • Program invocation via hard link.

– You can distinguish /bin/gzip and /bin/gunzip without any prescription.

2007-04-16 2007-04-18 NTT DATA CORPORATION 35 35 NTT DATA CORPORATION

slide-36
SLIDE 36

Affinity with Embedded Linux Affinity with Embedded Linux

  • No xattr support required.

– 100% filesystem independent.

  • No GUI environment required.

– Administration tasks are quite simple enough that you can do it using CUI (e.g. console or ssh session).

  • No modification required.

– You don’t need any patches for your userland programs.

2007-04-16 2007-04-18 NTT DATA CORPORATION 36 36 NTT DATA CORPORATION

slide-37
SLIDE 37

Affinity with Embedded Linux Affinity with Embedded Linux

  • Dynamically created files.

– Sometimes files are dynamically created in a volatile filesystem. Such files have no fixed inode-number nor determinate inode-xattr. – LIDS needs stable inode-number. – SELinux needs stable inode-xattr. – TOMOYO doesn’t need either.

2007-04-16 2007-04-18 NTT DATA CORPORATION 37 37 NTT DATA CORPORATION

slide-38
SLIDE 38

Affinity with Embedded Linux Affinity with Embedded Linux

  • Automatic policy generation.

– TOMOYO will observe your system’s behavior and build the exact policy for you. – You have got a professional tailor!

  • Easy policy accommodation.

– You can assign multiple pathnames to a file. – No need for accommodation of label assignment like SELinux.

2007-04-16 2007-04-18 NTT DATA CORPORATION 38 38 NTT DATA CORPORATION

slide-39
SLIDE 39

Affinity with Embedded Linux Affinity with Embedded Linux

  • Unusual pathnames.

– TOMOYO Linux is a pathname based MAC. – TOMOYO Linux can handle any characters including white-spaces, carriage-return, non- printable characters (e.g. BS), non-ASCII characters (e.g. EUC_JP) in the pathname. – All names in TOMOYO Linux consist of ASCII printable characters.

2007-04-16 2007-04-18 NTT DATA CORPORATION 39 39 NTT DATA CORPORATION

slide-40
SLIDE 40

GUI GUI

  • TOMOYO Linux can be fully controlled via tty

and no GUI is necessary, but

  • we are developing a Eclipse plug-in for GUI

lovers/addicts.

  • The plug-in talks to TOMOYO Linux kernel

through SSH protocol.

  • No server side libraries are required.
  • English is supported as well as Japanese.

2007-04-18 NTT DATA CORPORATION 40

slide-41
SLIDE 41

2007-04-18 NTT DATA CORPORATION 41

slide-42
SLIDE 42

2007-04-18 NTT DATA CORPORATION 42

slide-43
SLIDE 43

2007-04-18 NTT DATA CORPORATION 43

slide-44
SLIDE 44

2007-04-18 NTT DATA CORPORATION 44

slide-45
SLIDE 45

Usages Other Than Security Usages Other Than Security

  • TOMOYO is not only for security!

– You can analyze your Linux very deeply. – TOMOYO Linux can find out unused files and unexpected behavior for you (you can save space by deleting them). – “rm –rf *” will cause a disaster on normal Linux, but it will not if you are running TOMOYO Linux and keeping proper policies. – Just looking at the policies is so much fun. it also helps to understand OS mechanisms.

2007-04-18 NTT DATA CORPORATION 45

slide-46
SLIDE 46

Plans Plans

  • 2007 Ottawa Linux Symposium BoF.

– Introduce TOMOYO Linux to label-guys. – Is “name based access control” a fatal illness?

  • We would like to merge our work to be

included in main line (if we survive Ottawa).

– Propose patches to LSM (to make pathname based MAC work). – Propose capabilities extension to LSM.

2007-04-18 NTT DATA CORPORATION 46

slide-47
SLIDE 47

Please Come to See TOMOYO Linux Please Come to See TOMOYO Linux

2007-04-18 NTT DATA CORPORATION 47

April 18, Room B 18-340 15:40-16:30 Presentation 18-440 16:40-17:30 Tutorial Don’t miss it!